Rename Communicate as new user to Communicate as backdoor user
This commit is contained in:
parent
7e293ac16d
commit
10697934d6
|
@ -70,10 +70,12 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Improve runtime of some unit tests. #1125
|
||||
- Run curl OR wget (not both) when attempting to communicate as a new user on
|
||||
Linux. #1407
|
||||
- Renamed Communicate as new user to Communicate as backdoor user. #1433
|
||||
|
||||
### Removed
|
||||
- Relevant dead code as reported by Vulture. #1149
|
||||
- Island logger config and --logger-config CLI option. #1151
|
||||
- Backdoor user post breach action. #1433
|
||||
|
||||
### Fixed
|
||||
- Attempt to delete a directory when monkey config reset was called. #1054
|
||||
|
|
|
@ -39,9 +39,9 @@ class MyNewPba(PBA):
|
|||
|
||||
#### Implementation
|
||||
|
||||
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `add_user.py` PBA for reference.
|
||||
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `account_discovery.py` PBA for reference.
|
||||
|
||||
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
|
||||
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_backdoor_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
|
||||
|
||||
### Modify the Monkey Island
|
||||
|
||||
|
@ -73,4 +73,4 @@ Now you can choose your PBA when configuring the Infection Monkey on the Monkey
|
|||
|
||||
#### Telemetry processing
|
||||
|
||||
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example.
|
||||
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_backdoor_user_telemetry` method as an example.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user"
|
||||
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER = "Communicate as backdoor user"
|
||||
POST_BREACH_FILE_EXECUTION = "File execution"
|
||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file"
|
||||
POST_BREACH_HIDDEN_FILES = "Hide files and directories"
|
||||
|
|
|
@ -40,7 +40,7 @@ TEST_SCHEDULED_EXECUTION = "scheduled_execution"
|
|||
TEST_MALICIOUS_ACTIVITY_TIMELINE = "malicious_activity_timeline"
|
||||
TEST_SEGMENTATION = "segmentation"
|
||||
TEST_TUNNELING = "tunneling"
|
||||
TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user"
|
||||
TEST_COMMUNICATE_AS_BACKDOOR_USER = "communicate_as_backdoor_user"
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules"
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data"
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
|
||||
|
@ -58,7 +58,7 @@ TESTS = (
|
|||
TEST_DATA_ENDPOINT_HTTP,
|
||||
TEST_DATA_ENDPOINT_ELASTIC,
|
||||
TEST_TUNNELING,
|
||||
TEST_COMMUNICATE_AS_NEW_USER,
|
||||
TEST_COMMUNICATE_AS_BACKDOOR_USER,
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES,
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA,
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
|
||||
|
@ -206,7 +206,7 @@ TESTS_MAP = {
|
|||
PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED],
|
||||
},
|
||||
TEST_COMMUNICATE_AS_NEW_USER: {
|
||||
TEST_COMMUNICATE_AS_BACKDOOR_USER: {
|
||||
TEST_EXPLANATION_KEY: "The Monkey tried to create a new user and communicate "
|
||||
"with the internet from it.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
|
|
|
@ -4,7 +4,7 @@ import shutil
|
|||
import string
|
||||
import subprocess
|
||||
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
|
||||
from infection_monkey.utils.auto_new_user_factory import create_auto_new_user
|
||||
|
@ -26,7 +26,7 @@ USERNAME_PREFIX = "somenewuser"
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class CommunicateAsNewUser(PBA):
|
||||
class CommunicateAsBackdoorUser(PBA):
|
||||
"""
|
||||
This PBA creates a new user, and then creates HTTPS requests as that user. This is used for a
|
||||
Zero Trust test of the People pillar. See the relevant telemetry processing to see what findings
|
||||
|
@ -34,14 +34,16 @@ class CommunicateAsNewUser(PBA):
|
|||
"""
|
||||
|
||||
def __init__(self):
|
||||
super(CommunicateAsNewUser, self).__init__(name=POST_BREACH_COMMUNICATE_AS_NEW_USER)
|
||||
super(CommunicateAsBackdoorUser, self).__init__(
|
||||
name=POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
)
|
||||
|
||||
def run(self):
|
||||
username = CommunicateAsNewUser.get_random_new_user_name()
|
||||
username = CommunicateAsBackdoorUser.get_random_new_user_name()
|
||||
try:
|
||||
password = get_random_password()
|
||||
with create_auto_new_user(username, password) as new_user:
|
||||
http_request_commandline = CommunicateAsNewUser.get_commandline_for_http_request(
|
||||
http_request_commandline = CommunicateAsBackdoorUser.get_commandline_for_http_request(
|
||||
INFECTION_MONKEY_WEBSITE_URL
|
||||
)
|
||||
exit_status = new_user.run_as(http_request_commandline)
|
|
@ -1,4 +1,4 @@
|
|||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique
|
||||
|
||||
|
||||
|
@ -7,4 +7,4 @@ class T1136(PostBreachTechnique):
|
|||
unscanned_msg = "Monkey didn't try creating a new user on the network's systems."
|
||||
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
|
||||
used_msg = "Monkey created a new user on the network's systems."
|
||||
pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]
|
||||
pba_names = [POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER]
|
||||
|
|
|
@ -22,7 +22,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
"""
|
||||
:param post_breach_action_names: Names of post-breach actions with which the technique is
|
||||
associated
|
||||
(example - `["Communicate as new user"]` for T1136)
|
||||
(example - `["Communicate as backdoor user"]` for T1136)
|
||||
:return: Mongo query that parses attack telemetries for a simple report component
|
||||
(gets machines and post-breach action usage).
|
||||
"""
|
||||
|
|
|
@ -7,8 +7,8 @@ POST_BREACH_ACTIONS = {
|
|||
"anyOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["CommunicateAsNewUser"],
|
||||
"title": "Communicate as new user",
|
||||
"enum": ["CommunicateAsBackdoorUser"],
|
||||
"title": "Communicate as backdoor user",
|
||||
"safe": True,
|
||||
"info": "Attempts to create a new user, create HTTPS requests as that "
|
||||
"user and delete the user "
|
||||
|
|
|
@ -67,7 +67,7 @@ MONKEY = {
|
|||
"uniqueItems": True,
|
||||
"items": {"$ref": "#/definitions/post_breach_actions"},
|
||||
"default": [
|
||||
"CommunicateAsNewUser",
|
||||
"CommunicateAsBackdoorUser",
|
||||
"ModifyShellStartupFiles",
|
||||
"HiddenFiles",
|
||||
"TrapCommand",
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
import copy
|
||||
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_new_user import (
|
||||
from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_backdoor_user import (
|
||||
check_new_user_communication,
|
||||
)
|
||||
|
||||
EXECUTION_WITHOUT_OUTPUT = "(PBA execution produced no output)"
|
||||
|
||||
|
||||
def process_communicate_as_new_user_telemetry(telemetry_json):
|
||||
def process_communicate_as_backdoor_user_telemetry(telemetry_json):
|
||||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json["monkey_guid"])
|
||||
message = telemetry_json["data"]["result"][0]
|
||||
success = telemetry_json["data"]["result"][1]
|
||||
|
@ -18,7 +18,7 @@ def process_communicate_as_new_user_telemetry(telemetry_json):
|
|||
|
||||
|
||||
POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
|
||||
POST_BREACH_COMMUNICATE_AS_NEW_USER: process_communicate_as_new_user_telemetry,
|
||||
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER: process_communicate_as_backdoor_user_telemetry,
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_serv
|
|||
MonkeyZTFindingService,
|
||||
)
|
||||
|
||||
COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as new user. Details: {}"
|
||||
COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as backdoor user. Details: {}"
|
||||
COMM_AS_NEW_USER_SUCCEEDED_FORMAT = (
|
||||
"New user created by Monkey on {} successfully tried to "
|
||||
"communicate with the internet. Details: {}"
|
||||
|
@ -14,7 +14,7 @@ COMM_AS_NEW_USER_SUCCEEDED_FORMAT = (
|
|||
def check_new_user_communication(current_monkey, success, message):
|
||||
status = zero_trust_consts.STATUS_FAILED if success else zero_trust_consts.STATUS_PASSED
|
||||
MonkeyZTFindingService.create_or_add_to_existing(
|
||||
test=zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
|
||||
test=zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER,
|
||||
status=status,
|
||||
events=[
|
||||
get_attempt_event(current_monkey),
|
||||
|
@ -25,7 +25,7 @@ def check_new_user_communication(current_monkey, success, message):
|
|||
|
||||
def get_attempt_event(current_monkey):
|
||||
tried_to_communicate_event = Event.create_event(
|
||||
title="Communicate as new user",
|
||||
title="Communicate as backdoor user",
|
||||
message="Monkey on {} tried to create a new user and communicate from it.".format(
|
||||
current_monkey.hostname
|
||||
),
|
||||
|
@ -40,7 +40,7 @@ def get_result_event(current_monkey, message, success):
|
|||
)
|
||||
|
||||
return Event.create_event(
|
||||
title="Communicate as new user",
|
||||
title="Communicate as backdoor user",
|
||||
message=message_format.format(current_monkey.hostname, message),
|
||||
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
|
||||
)
|
|
@ -175,7 +175,7 @@
|
|||
"PBA_windows_filename": "",
|
||||
"PBA_linux_filename": "",
|
||||
"post_breach_actions": [
|
||||
"CommunicateAsNewUser",
|
||||
"CommunicateAsBackdoorUser",
|
||||
"ModifyShellStartupFiles",
|
||||
"HiddenFiles",
|
||||
"TrapCommand",
|
||||
|
|
|
@ -18,8 +18,8 @@ EVENTS = [
|
|||
timestamp=datetime.strptime("2021-01-19 12:07:17.802138", "%Y-%m-%d %H:%M:%S.%f"),
|
||||
),
|
||||
Event.create_event(
|
||||
title="Communicate as new user",
|
||||
message="Monkey on gc-pc-244 couldn't communicate as new user. "
|
||||
title="Communicate as backdoor user",
|
||||
message="Monkey on gc-pc-244 couldn't communicate as backdoor user. "
|
||||
"Details: System error 5 has occurred. Access is denied.",
|
||||
event_type="monkey_network",
|
||||
timestamp=datetime.strptime("2021-01-19 12:22:42.246020", "%Y-%m-%d %H:%M:%S.%f"),
|
||||
|
@ -28,7 +28,7 @@ EVENTS = [
|
|||
|
||||
TESTS = [
|
||||
zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
|
||||
zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
|
||||
zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER,
|
||||
]
|
||||
|
||||
STATUS = [
|
||||
|
|
Loading…
Reference in New Issue